Run security tests. Have your configuration reviewed or have a security-penetration test performed against the deployed security proxy to ensure the configuration is sound. One wrong regular-expression rule can leave your site vulnerable, but it may not be obvious. Contracting a standard Web application security assessment with any of the numerous security-services companies on the market is a start--if they find any vulnerabilities in the (supposedly) protected Web site, you know the security proxy is not configured properly. In addition, some security-proxy vendors offer configuration training and on-site implementation review. Some, like Teros, even include this in the initial purchase cost.
Patch your servers. Finally, security proxies do not negate the need to patch your servers. Removing the vulnerability is always a better solution than merely denying access to it (see "PatchLink Helps Keep Windows Closed").
Go Deep
By adding a security proxy, you erect one more layer between you and would-be attackers. If you implement this layer effectively, you will be able to protect against Web vulnerabilities to which you were previously susceptible.
The products we tested had pluses and minuses in different environments, and none is the security silver bullet we'd dreamt of. The Teros-100 APS is only a solid median solution, iSecureWeb is complex to configure, and webApp.Secure is not complex enough. The battle came down to two--Kavado InterDo and Sanctum AppShield--which tied on points. And though InterDo is easier to handle and offers more features, its lack of protection for dynamic form values cost it the trophy. We gave AppShield our Editor's Choice award.
Sanctum AppShield 4.0 | Kavado InterDo 2.5 Web Application Firewall | Teros Teros-100 APS | WebScurity webApp.Secure Professional 1.1 | MultiNet iSecureWeb
Sanctum AppShield 4.0
We tested AppShield 4.0 with Service Pack 2 and Option Pack 1 applied to gain additional support for handling OWA WebDAV queries. AppShield has been around the longest of the products tested, and its maturity is obvious. It has a full complement of features and a flexibility that makes it adaptable to nearly every standard Web environment.
